I. 1.. (1) (2) (3) (4) (5). (1) (2) (3) II. 1.. (1) (2). (1) (2) 2.. (1)
(2). (1) OLEDB (2) IOCP (3) 3.. (1) (2). (1) (2) (3) (4) 4.. (1) (2) :. (1) (AhnLab HackShield for Online Game) (2) nprotect Gameguard (3) (4) (SGP) (5) MFGS(MyFirewall for Game services) 5.. (1) MMORPG (2).
(1) Key Logger (2) (3) Back Door (4) / (5) (6) (7) (8) (9) (10) 6.. (1) (2). (1) III. 1... 2.. (1) (2). (1). ( )
(1) (2) (3) (4) 3.... *
I.
1.. (1)... 2001., 300 500.,.,...,.,,..
,.,. 3D ( ).,.,.,..... (2),.. 2004 2003 7,541 2006 1 7,058 31.3%.
< 그림 1-1-1> 국내온라인게임시장전망 IT.. 2003 20 2004 40 100%, 2005.
< 표 1-1-1> 국내온라인게임의해외진출현황및동시접속자수 (3)....,,. IT,.., Application Hack.
. - Package.. (Firewall) (IDS), (IPS), (Anti-Virus Vaccine)..,. (4) ( ) (Win-Win). ( ). 2000, CJ, 30 2004 25. (nprotect Game Guard) (SEGA) 9 20 1000. PC.,,,,,.
( ) 2003. PC. Anti-Virus Vaccine, (Hack Shield). ( ). ( ) (Digital Media Exchange Inc.) ' '.,,,,. (5)..,,.,.
,,.,,.., ( ) 2,.,.,. < 그림 1-1-2> 세계시장에서국내온라인게임시장의비중 1
., MMORPG (e.g. Blizzard World Of Warcraft ),..,.,. (1),. (2),,,. (3).
II.
1... (1) (Firewall), (Virus Wall), IPS, IDS.,. ( ) (Firewall).,. (ftp, telnet, web ) IP port....
. OS,.... 1) ).,. ),.,. ) IP, DNS...
),.. ),. (web, e-mail, FTP, telnet ).,. 2),, HTTP, DoS,.. ) IP..,, (overhead).
) (outbound network) (inbound network).. ),. ).. ( ) (Virus Wall) /,. Anti-virus Solution, Gateway. 1) Virus Wall
. (,, ).. 2) Virus Wall ) Plug & Use Plug-In. ). ) SMTP, HTTP, POP3, FTP. ) (Gigabit ) Gigabit. (, 400Mbps-full duplex mode throughput ) ) ) ( Bloodhound Heuristic )
) 125 140, 100 E-mail. ).. 3) Virus Wall ) Anti-Virus ㆍ Protocol : HTTP, SMTP, POP3, FTP ㆍ :,, ㆍ Virus : Virus ) ㆍ : Live-Update ㆍ Update : Update ㆍ Update : ) New Contents Filtering ㆍ Protocol : SMTP, POP3
ㆍ Filtering : IP, Mail ID, Mail Size, File, Key-Word ㆍ : ㆍ : IP( ) ) ㆍ Protocol : HTTP, SMTP ㆍ : (Web-Browser), ( /, ) ㆍ : Anti-Virus ) ㆍ C/S (Middle-Ware ) ㆍ -,, IP,, ㆍ.,., (Off-Line)..
2) IDS IDS(H-IDS) IDS(N-IDS). Host( ) IDS H-IDS (Host-based IDS), Network IDS N-IDS (Network-based IDS). H-IDS Host( ), N-IDS. ) IDS IDS (Port Mirroring) TAP(Test Access Port).. IDS.. IDS (Passive),,.
3) IDS IDS
.. IDS (Customizing). IDS 90%, 10%. IDS 24. < 표 2-1-1> 국외와국내 IDS 시장규모 ( ) (Intrusion Prevention System) IPS. IDS, IPS,,. IPS,. IPS IDS.
1) IPS IPS / (DDoS: Distributed Denial of Service) IDS. IDS, IPS. IPS. ) IPS 2 (, IPS). DoS/DDoS.. TCP TCP (IP, TCP, UDP ). IPS IDS, IPS. IPS,,,, IDS IPS.
2) IPS 2003 IPS,, IPS (CC) 2004 4. IPS. IPS. 3) IPS..... (2) ( ) Myfirewall 1) Myfirewall. Myfirewall (Back Door),,
.. (PC) PC. PC FTP E-mail ( ). Myfirewall PC. Myfirewall. 2) ),. MyFirewall. ). MyFirewall,, IP,.
),.. ). ),. ),,,. ( ), (, ),..
keystroke ( ), K-Defense ( ), ( ), nprotect KeyCrypt ( ), ( ). < 그림 2-1-1> 소프트캠프 Keystroke 개요. (1). ( ). ( )
. ( ),,.,. ( ) /.,. (2). ( ),.. ( ),..
( ), FTP FTP,.
2.. (1) 4. 4,,,......, World Of Warcraft MMORPG... (2) ( ),.
..,,,,. 1) Unit Unit.,,,.,. 2)..,,. 3)..,,
. 4).. 5).. ( ).. 1976 (Adventure), 1980 (Infocom) (Zork)., (Sierra On-line) (Mystery House). (Lucas Arts), (Quest), (Cyan) (Mist) 1000..,
. ( ). (Table Role-Playing Game). 1974 (Dungeons and Dragons), 30. J. R. R... 1981 (Wizardry), (Ultima) (Diablo). (Dragon Quest) (Final Fantasy).,. ( ). (Arcade), (Game Center)..
,. (Pong), (Taito) (Space Invader). (Nexon). ( ),,. EA SPORT FIFA 2005, NBA 2005, NHL 2005.. ( ),.,,...,,,. ( ) MMORPG
MMORPG(Massively Multi-player Online Role-Playing Game). MUD, MUG. MMORPG. MMORPG,., 2 WOW(World Of Warcraft).. (1) OLEDB. DSN, DSN, OLEDB. OLEDB... API. API API API. ODBC(Open DataBase Connectivity). ODBC, ODBC. ODBC. API
.,.. DAO(Data Access Objects). DAO. objitem.addnew objitem.name = "Chair" objitem.price = 10 objitem.update., DAO RDO(Remote Data Objects), ADO.. OLEDB COM.,. OLEDB ODBC. ASP ADO., ADO OLEDB. ASP ADO OLEDB ODBC. ADO OLEDB. OLEDB. Dim objconn Set objconn = Server.CreateObject("ADODB.Connection")
"DSN=pubs ( Driver={MS SQL-Server}); UID=sa;PWD=;DATABASE =pubs;server=mymachine" OLEDB. objconn.connectionstring = "Provider=ProviderName; Data Source=DatabaseSource; Initial Catalog=DatabaseName; User ID=UserID; Password=Password" SQL. objconn.connectionstring = "Provider=SQLOLEDB; Data Source=( ); Initial Catalog=( ); User ID=( ID); Password=( )" SQL DSN. DRIVER={MS SQL-Server};UID=sa;PWD=;DATABASE=pubs; SERVER=myMachine OLEDB. Provider=SQLOLEDB; Data Source=myMachine; Initial Catalog=pubs; User ID=sa; Password=XXXX ACCESS. DSN ACCESS. DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=c:\inetpub\wwwroot\users.mdb
OLEDB. Provider=Microsoft.Jet.OLEDB.3.51; Data Source=c:\inetpub\wwwroot\users.mdb DSN DSN OLEDB. < 표 2-2-1> 성능비교 (2) IOCP ( ) :....
.... CPU. CPU. ( CPU..) IOCP...,. I/O. ( ) I/O (Asynchronous) I/O. I/O, I/O. I/O I/O. I/O. I/O. I/O IOCP.
I/O I/O IOCP I/O. 1) I/O I/O. ) I/O I/O, CreateFile API FILE_FLAG_OVERLAPPED I/O. ReadFile WriteFile I/O. OVERLAPPED.. GetOverlappedResult. ReadFile WriteFile I/O.. ) ).. ReadFile, WriteFile ReadFileEx WriteFileEx.. ( ) IOCP
. IOCP I/O. I/O. IOCP. IOCP. (3)... (Web).,.. Blowfish, RC4, MD5 hash.. ( ),
(Key).,,., 40, 128. 40 RC4-40 128 IDEA.,. ( ) ( )..,.,.,...,,. ( ) 1), (stream).,. XOR,
. RSA RC4.. ONE-TIME PAD, ONE-TIME PAD.. DES(Data Encryption Standard). DES 64, 1976 20. DES. 128. 1997 AES(Advanced Encryption Standard). AES 128, 192, 256,. MARS, RC6TM, Rijndael, Serpent, Twofish 5. ETRI 128 SEED.. 2) ( ) 1976 (Martin Hellman) (Whitfield Diffie),.,..,.,
. RSA, DSA, KCDSA. 1024,. ECC(Elliptic Curve Cryptosystem)., 160. 1024 RSA DSA. CA(Certification Authority)..... PKI(Public Key Infrastructure). ( ). ( ),,,. 1), SSL SSL(Secure Sockets Layer) TCP(Transmission Control Protocol). SSL.
). (Public Key),. (VeriSign) ( ).. ),.,,. ) SSL. SSL VPN. SSL (Scramble), SSL. SSL, DES, DSA, KEA, MD5, RC2, RC4, RSA, RSA (Key Exchange), SHA-1, SKIPJACK, 3DES..
SSL,, SSL SSL. SSL SSL. SSL SSL. SSL 3.0 128 RSA RC4 MD5. RC4 3.4 1038, 168 3DES.
3.. (1)...,.,. (2).,.,,,..,,.,
. Key Stoke Hooking,,,,,., DDoS,.,..,,.,..,,,,,...,... (1). ( )..,,,
,..,,. ( )...,,. ( )... ( ),,,. (2) ( ) Key Stroke Hooking
PC PC (Sniffing). PC PC ID.. ( )...... A,, O.
< 그림 2-3-1> 오토마우스연결도. PC. ( )..,. ( ).
MMORPG.. ( )....... (Skill), PK...,,.., PC.
(Lag).,.,.,,. ( ).,.,.. ( ),...,.
.. ( ) MOB MMORPG NPC. NPC (MOB)......,,. ( ).,.
. 0...,.. -256 255-257 255... (3) ( ) (Worm)... Source.
. MMORPG.. ( ). Ralf Burger.,.,.,.,.., ( ), ( ).,.
. ( ) (Bot),,, DDoS. ( ) (Back Door)...... history...... rsh, rloigin, rexec.. rhosts + +
.. login login login.... finger finger finger... cron........ ls cat.....
TCP/UDP/ICMP TCP/UDP/ICMP. (Firewall) UDP TCP. ( ) (Trojan)...... (Back Orifice), (Netbus), (Seb7), Rootkit... 1). 2)
(, ). 3),,... (4) ( ) (Port Scanning). TCP UDP LISTENING.,. LISTENING..., TCP/UDP,,. (Scanning Tools),. 2. Positive Scan
( ) ( ), Negative Scan ( ) ( ). 4. Open. TCP/IP 3 Way Handshake. Open. Half Open. TCP/IP 3Way Handshake PC(Client).. Stealth. TCP Fragment TCP/IP. TCP/IP.... FTP Bounce Spoofed TCP. FTP Bounce FTP FTP port PC Passive IP. ( )
( ),,,...,,. (System Scanner).,,.,,. ( ).,.... TCP/IP., TCP/IP (plain text).,,
. ( ) (DoS) < 그림 2-3-2> DoS 개념도 (DoS) (stem) (hogging)...
,. DoS CPU,, (Lag). DoS.,,... ( ) IP DNS,. IP (IP Spoofing) TCP/IP, TCP,, (Authentication).,. (DNS Spoofing) DNS DoS DNS rlogin,rsh. (Web Spoofing).
(5) ( ) IIS NT 2000 (www), FTP, (Gopher) IIS 4.0 5.0. 2000 10 (Nimda).. Nmap, FTP,. CGI...
< 그림 2-3-3> IIS Unicode CGI 실행화면 ( )..,,.
4...,.,.,, IDS,.. (1).
< 표 2-4-1> 온라인게임회사별도입프로그램 (2)
( ). ( ) nprotect Gameguard. ( ) IDS. 2003. ( ).,....,,,,,.. (1) (AhnLab HackShield for Online Game)
( ).. 1) 2) 3) / 4) 5) : tm,. 6) :. 7) Message Hooking,,. 8)
. 9) 10). (2) nprotect Gameguard (nprotect GameGuard),,.. ( ) 1) 2) 3) 4) Client PC 5)
6) ( ) 1) ) ) ) ) Client ) ) ) ) 30 2) ) ),, 3)
) ) Client PC ) 4) ) ) ) 5) )
< 그림 2-4-1> nprotect Gameguard 시스템구성도 (3) ( ) 1),. 2)
. 3), / Suite,,. 4) OS PC PC. 5) PC. 6),,, /
, Suite PC /.,, ㆍ. 7) PC Suite, /. 8) Suite [ ] Suite,. (4) (SGP) ( ) 1)
2) 3) (5) MFGS(MyFirewall for Game services) ( ) 1) /. 2). 3) / MFGS MFGS. 4) 10. 5)
MFGS MFGS. 6) DLL. ( ) 1) MFGS. MFGS,.,. 2) MFGS MFGS. MFGS MFGS, MFGS.
3)
5.. (1) MMORPG ( ) FTP 2003 W., FTP, FTP FTP port FTP FTP. ( ) 2003 W... ( ) P CD P. ( ) 3 J. 3
,. ( ) G,. ( ) ID email LegMir-Y. PC ID. (2) ( ) 1) HTML 2004 9 (32) 3 A HTML,,. ( 2004.11.23. 160 )
< 그림 2-5-1> 사이버머니해킹유통경로 2) ID 2005 1 3 (28) (22) ID 172 15, 5 4,600. ( 2005.03.14. ) 2002 3 4 1 5000, 1, ' ' 600. 30. ( 2004.11.12. 30 )
< 그림 2-5-2> 사이버머니불법유통체계도. (1) Key Logger Key Logger. (2)
< 그림 2-5-2> 모의해킹시나리오 php jsp. php jsp, asp..,,,,... (3) Back Door,. (4) /
... (5) Alt+tab,. (6).. (7).. (8).. (, ).,.
.. TCP/IP, IPsec.. (9)..,. (10)..
6.. (1)?. IDS,..?...... 2003 20, 2004 40.....
(2)..?.....?...... (1)
< 표 2-6-1> 침해사고접수및처리 1500 42....
.....,,.. < 그림 2-6-1> 월별해킹ㆍ웜ㆍ스팸릴레이침해신고건수
III.
1...,,, (IDS, IPS).,,,.. ", (availablity).",.....( ), php.,, 3.
< 표 3-1-1> 해킹바이러스통계및분석
2...,..... (1) IT. 2,...,.
(2). Myfirewall PC.. (1) ). ) (Netflow) (Flowscan).. (Netflow). (
IP, IP,, 7 ). mrtg.,, (Flowscan). <9-1-1> (flowcollector), GUI CLI. mrtg. < 그림 3-2-1> Flowscan 의개념도 < 3-2-2> TCP, UDP, ICMP bps TCP. bps.
< 그림 3-2-2> 프로토콜별 bps < 3-2-3> fps, fps flow. fps IP. < 그림 3-2-3> 프로토콜별 fps < 3-2-4> pps(packets per second), pps. bps TCP. pps.
< 그림 3-2-4> 프로토콜별 pps ) AAA(Authentication, Authorization, Accounting),,.. ( ),.,.. (1) OS.
... < 3-2-5>,. < 그림 3-2-5> 윈도우에서의서비스제어 ( ) ntsysv ntsysv setup System services. ( )
/etc/rc.d/rc3.d ls -la S* S. rc3.d 3 Full multiuser mode, S* S start. K kill. S K. /etc/rc.d/init.d/. chkconfig on, off. service. (2) (Port) ftp, smtp tcp/ip, (listen). nmap,. fport < 3-2-6> Active Ports (http://www.snapfiles.com/ get/activeports.html) IP (Kill).
< 그림 3-2-6> Active Ports, netstat. netstat, listen -l. -p program.
< 그림 3-2-7> netstat 실행화면 < 3-2-7> PID. 2265/tcp pid 587. # ls -la /proc/587/ total 0 dr-xr-xr-x 3 osiris osiris 0 Mar 10 20:52./ dr-xr-xr-x 45 root root 0 Mar 6 15:55../ -r--r--r-- 1 root root 0 Mar 10 20:52 cmdline -r--r--r-- 1 root root 0 Mar 10 20:52 cpu lrwxrwxrwx 1 root root 0 Mar 10 20:52 cwd -> // -r-------- 1 root root 0 Mar 10 20:52 environ lrwxrwxrwx 1 root root 0 Mar 10 20:52 exe -> /usr/sbin/osirisd* dr-x------ 2 root root 0 Mar 10 20:52 fd/ -r--r--r-- 1 root root 0 Mar 10 20:52 maps
-rw------- 1 root root 0 Mar 10 20:52 mem -r--r--r-- 1 root root 0 Mar 10 20:52 mounts lrwxrwxrwx 1 root root 0 Mar 10 20:52 root -> // -r--r--r-- 1 root root 0 Mar 10 20:52 stat -r--r--r-- 1 root root 0 Mar 10 20:52 statm -r--r--r-- 1 root root 0 Mar 10 20:52 status exe-> /usr/sbin/osirisd.? /etc/services, /etc/services 80<->http pid kill pid. kill -9 587., netstat. netstat ps LKM. chkrootkit(http://www. chkrootkit.org/) pid. netstat, 127.0.0.1 local. (3). windows update, CLI.
, YUM(Yellow dog Updater, Modified). (4). 1234. OS...
10..,... ( 明若觀火 )....,,,. (nprotect) (HackShield).. 100%......
...... < 그림 3-3-1> 기존 ISP 피해사례
1. INFO: Design Issues When Using IOCP in a Winsock Server (Q192800) - http://support.microsoft.com/default.aspx?scid=kb;en-us;q192800 2. Programming Server-Side Applications for Microsoft Windows 2000, Chapter 2 Devico I/O and Interthreaded Communication 3. Writing Windows NT Server Applications in MFC Using I/O Completion Ports - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpic/html/msdn_servra pp.asp 4. UNBUFCPY, SOCKSRV? Microsoft Platform SDK IOCP 5. Windows Sockets 2.0: Write Scalable Winsock Apps Using Completion Ports - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnmag00/html/winsock. asp 6. ADO 2.0 Programmer's Reference 7.NETWORK TIMES 2004 5 (datanet) / ( ) 8. - Keystroke 9. - Myfirewall 2.0 Manual(2004) 10. (KISA) 2004 12
11. - (2004) 12. - (2004) 13. 14. OLEDB - GuysFromRolla 15. - 16. 2004 12-17. -, 18. -,